@clawdreyhepburn/carapace 0.3.2 → 0.4.0

package/dist/mcp-aggregator.d.ts

@@ -0,0 +1,29 @@
+/**
+ * MCP Aggregator — connects to multiple upstream MCP servers,
+ * discovers their tools, and proxies calls through Cedar authorization.
+ */
+import type { Logger, ServerConfig, McpTool, ServerStatus, CedarEngineInterface } from "./types.js";
+interface AggregatorOpts {
+    servers: Record<string, ServerConfig>;
+    cedar: CedarEngineInterface;
+    logger: Logger;
+}
+export declare class McpAggregator {
+    private servers;
+    private serverConfigs;
+    private cedar;
+    private logger;
+    constructor(opts: AggregatorOpts);
+    /** Connect to all configured MCP servers and discover tools */
+    connectAll(): Promise<void>;
+    /** Disconnect all servers */
+    disconnectAll(): Promise<void>;
+    /** List all discovered tools across all servers */
+    listTools(serverFilter?: string): McpTool[];
+    /** Get status of all servers */
+    getServerStatus(): Record<string, ServerStatus>;
+    /** Call a tool on the appropriate upstream server */
+    callTool(qualifiedName: string, args: Record<string, unknown>): Promise<any>;
+    private connectServer;
+}
+export {};

package/dist/mcp-aggregator.js

@@ -0,0 +1,144 @@
+/**
+ * MCP Aggregator — connects to multiple upstream MCP servers,
+ * discovers their tools, and proxies calls through Cedar authorization.
+ */
+import { Client } from "@modelcontextprotocol/sdk/client/index.js";
+import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
+export class McpAggregator {
+    servers = new Map();
+    serverConfigs;
+    cedar;
+    logger;
+    constructor(opts) {
+        this.serverConfigs = opts.servers;
+        this.cedar = opts.cedar;
+        this.logger = opts.logger;
+    }
+    /** Connect to all configured MCP servers and discover tools */
+    async connectAll() {
+        const entries = Object.entries(this.serverConfigs);
+        this.logger.info(`Connecting to ${entries.length} MCP server(s)...`);
+        await Promise.allSettled(entries.map(([name, config]) => this.connectServer(name, config)));
+        const total = this.listTools().length;
+        const connected = [...this.servers.values()].filter((s) => s.connected).length;
+        this.logger.info(`Connected: ${connected}/${entries.length} servers, ${total} tools discovered`);
+    }
+    /** Disconnect all servers */
+    async disconnectAll() {
+        for (const [name, server] of this.servers) {
+            try {
+                await server.transport?.close?.();
+                this.logger.debug?.(`Disconnected: ${name}`);
+            }
+            catch (err) {
+                this.logger.warn(`Error disconnecting ${name}: ${err}`);
+            }
+        }
+        this.servers.clear();
+    }
+    /** List all discovered tools across all servers */
+    listTools(serverFilter) {
+        const tools = [];
+        for (const server of this.servers.values()) {
+            if (serverFilter && server.name !== serverFilter)
+                continue;
+            for (const tool of server.tools) {
+                tools.push({
+                    ...tool,
+                    enabled: this.cedar.isToolEnabled(tool.qualifiedName),
+                });
+            }
+        }
+        return tools;
+    }
+    /** Get status of all servers */
+    getServerStatus() {
+        const status = {};
+        for (const [name, server] of this.servers) {
+            status[name] = {
+                connected: server.connected,
+                toolCount: server.tools.length,
+                error: server.error,
+            };
+        }
+        return status;
+    }
+    /** Call a tool on the appropriate upstream server */
+    async callTool(qualifiedName, args) {
+        const [serverName, toolName] = qualifiedName.split("/", 2);
+        const server = this.servers.get(serverName);
+        if (!server) {
+            return {
+                content: [{ type: "text", text: `Server not found: ${serverName}` }],
+                isError: true,
+            };
+        }
+        if (!server.connected) {
+            return {
+                content: [{ type: "text", text: `Server not connected: ${serverName}` }],
+                isError: true,
+            };
+        }
+        try {
+            const result = await server.client.callTool({ name: toolName, arguments: args });
+            return result;
+        }
+        catch (err) {
+            return {
+                content: [{ type: "text", text: `Tool call failed: ${err.message}` }],
+                isError: true,
+            };
+        }
+    }
+    // --- Private ---
+    async connectServer(name, config) {
+        const entry = {
+            name,
+            config,
+            client: new Client({ name: `mcp-cedar-proxy/${name}`, version: "0.1.0" }),
+            transport: null,
+            tools: [],
+            connected: false,
+        };
+        try {
+            if (config.transport === "stdio") {
+                if (!config.command)
+                    throw new Error("stdio transport requires 'command'");
+                entry.transport = new StdioClientTransport({
+                    command: config.command,
+                    args: config.args ?? [],
+                    env: { ...process.env, ...(config.env ?? {}) },
+                });
+            }
+            else if (config.transport === "http" || config.transport === "sse") {
+                if (!config.url)
+                    throw new Error(`${config.transport} transport requires 'url'`);
+                // TODO: Add HTTP/SSE transport support
+                // For now, only stdio is implemented
+                throw new Error(`${config.transport} transport not yet implemented — use stdio`);
+            }
+            else {
+                throw new Error(`Unknown transport: ${config.transport}`);
+            }
+            await entry.client.connect(entry.transport);
+            entry.connected = true;
+            // Discover tools
+            const toolsResult = await entry.client.listTools();
+            entry.tools = (toolsResult.tools ?? []).map((t) => ({
+                name: t.name,
+                qualifiedName: `${name}/${t.name}`,
+                server: name,
+                description: t.description ?? "",
+                inputSchema: t.inputSchema,
+                enabled: false, // Will be resolved against Cedar policies
+            }));
+            this.logger.info(`Connected to ${name}: ${entry.tools.length} tools`);
+        }
+        catch (err) {
+            entry.error = err.message;
+            this.logger.warn(`Failed to connect to ${name}: ${err.message}`);
+        }
+        this.servers.set(name, entry);
+    }
+}
+//# sourceMappingURL=mcp-aggregator.js.map

package/dist/mcp-aggregator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-aggregator.js","sourceRoot":"","sources":["../src/mcp-aggregator.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AACnE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AAqBjF,MAAM,OAAO,aAAa;IAChB,OAAO,GAAiC,IAAI,GAAG,EAAE,CAAC;IAClD,aAAa,CAA+B;IAC5C,KAAK,CAAuB;IAC5B,MAAM,CAAS;IAEvB,YAAY,IAAoB;QAC9B,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC;QAClC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;QACxB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;IAC5B,CAAC;IAED,+DAA+D;IAC/D,KAAK,CAAC,UAAU;QACd,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACnD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,iBAAiB,OAAO,CAAC,MAAM,mBAAmB,CAAC,CAAC;QAErE,MAAM,OAAO,CAAC,UAAU,CACtB,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAClE,CAAC;QAEF,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC,MAAM,CAAC;QACtC,MAAM,SAAS,GAAG,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC;QAC/E,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,cAAc,SAAS,IAAI,OAAO,CAAC,MAAM,aAAa,KAAK,mBAAmB,CAAC,CAAC;IACnG,CAAC;IAED,6BAA6B;IAC7B,KAAK,CAAC,aAAa;QACjB,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAC1C,IAAI,CAAC;gBACH,MAAM,MAAM,CAAC,SAAS,EAAE,KAAK,EAAE,EAAE,CAAC;gBAClC,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,iBAAiB,IAAI,EAAE,CAAC,CAAC;YAC/C,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,uBAAuB,IAAI,KAAK,GAAG,EAAE,CAAC,CAAC;YAC1D,CAAC;QACH,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;IACvB,CAAC;IAED,mDAAmD;IACnD,SAAS,CAAC,YAAqB;QAC7B,MAAM,KAAK,GAAc,EAAE,CAAC;QAC5B,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;YAC3C,IAAI,YAAY,IAAI,MAAM,CAAC,IAAI,KAAK,YAAY;gBAAE,SAAS;YAC3D,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBAChC,KAAK,CAAC,IAAI,CAAC;oBACT,GAAG,IAAI;oBACP,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,IAAI,CAAC,aAAa,CAAC;iBACtD,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,gCAAgC;IAChC,eAAe;QACb,MAAM,MAAM,GAAiC,EAAE,CAAC;QAChD,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAC1C,MAAM,CAAC,IAAI,CAAC,GAAG;gBACb,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,SAAS,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM;gBAC9B,KAAK,EAAE,MAAM,CAAC,KAAK;aACpB,CAAC;QACJ,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,qDAAqD;IACrD,KAAK,CAAC,QAAQ,CAAC,aAAqB,EAAE,IAA6B;QACjE,MAAM,CAAC,UAAU,EAAE,QAAQ,CAAC,GAAG,aAAa,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAE5C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,qBAAqB,UAAU,EAAE,EAAE,CAAC;gBACpE,OAAO,EAAE,IAAI;aACd,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YACtB,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,yBAAyB,UAAU,EAAE,EAAE,CAAC;gBACxE,OAAO,EAAE,IAAI;aACd,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YACjF,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,qBAAqB,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;gBACrE,OAAO,EAAE,IAAI;aACd,CAAC;QACJ,CAAC;IACH,CAAC;IAED,kBAAkB;IAEV,KAAK,CAAC,aAAa,CAAC,IAAY,EAAE,MAAoB;QAC5D,MAAM,KAAK,GAAoB;YAC7B,IAAI;YACJ,MAAM;YACN,MAAM,EAAE,IAAI,MAAM,CAAC,EAAE,IAAI,EAAE,mBAAmB,IAAI,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;YACzE,SAAS,EAAE,IAAI;YACf,KAAK,EAAE,EAAE;YACT,SAAS,EAAE,KAAK;SACjB,CAAC;QAEF,IAAI,CAAC;YACH,IAAI,MAAM,CAAC,SAAS,KAAK,OAAO,EAAE,CAAC;gBACjC,IAAI,CAAC,MAAM,CAAC,OAAO;oBAAE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBAE3E,KAAK,CAAC,SAAS,GAAG,IAAI,oBAAoB,CAAC;oBACzC,OAAO,EAAE,MAAM,CAAC,OAAO;oBACvB,IAAI,EAAE,MAAM,CAAC,IAAI,IAAI,EAAE;oBACvB,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,GAAG,IAAI,EAAE,CAAC,EAA4B;iBACzE,CAAC,CAAC;YACL,CAAC;iBAAM,IAAI,MAAM,CAAC,SAAS,KAAK,MAAM,IAAI,MAAM,CAAC,SAAS,KAAK,KAAK,EAAE,CAAC;gBACrE,IAAI,CAAC,MAAM,CAAC,GAAG;oBAAE,MAAM,IAAI,KAAK,CAAC,GAAG,MAAM,CAAC,SAAS,2BAA2B,CAAC,CAAC;gBAEjF,uCAAuC;gBACvC,qCAAqC;gBACrC,MAAM,IAAI,KAAK,CAAC,GAAG,MAAM,CAAC,SAAS,4CAA4C,CAAC,CAAC;YACnF,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,KAAK,CAAC,sBAAsB,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;YAC5D,CAAC;YAED,MAAM,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YAC5C,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC;YAEvB,iBAAiB;YACjB,MAAM,WAAW,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YACnD,KAAK,CAAC,KAAK,GAAG,CAAC,WAAW,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBAClD,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,aAAa,EAAE,GAAG,IAAI,IAAI,CAAC,CAAC,IAAI,EAAE;gBAClC,MAAM,EAAE,IAAI;gBACZ,WAAW,EAAE,CAAC,CAAC,WAAW,IAAI,EAAE;gBAChC,WAAW,EAAE,CAAC,CAAC,WAAW;gBAC1B,OAAO,EAAE,KAAK,EAAE,0CAA0C;aAC3D,CAAC,CAAC,CAAC;YAEJ,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,IAAI,KAAK,KAAK,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,CAAC;QACxE,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,KAAK,CAAC,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC;YAC1B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,wBAAwB,IAAI,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QACnE,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAChC,CAAC;CACF"}

package/dist/policy-source.d.ts

@@ -0,0 +1,21 @@
+/**
+ * PolicySource — exposes Carapace's deployment-level Cedar policies
+ * so that OVID-ME can query the effective policy ceiling.
+ */
+/**
+ * Interface matching @clawdreyhepburn/ovid-me's PolicySource.
+ * Defined locally to avoid circular dependencies.
+ */
+export interface PolicySource {
+    getEffectivePolicy(principal: string): Promise<string | null>;
+}
+/**
+ * Reads all .cedar files from the policy directory and returns
+ * the concatenated policy text. Carapace policies are deployment-wide
+ * (not per-principal), so all policies apply to all principals.
+ */
+export declare class CarapacePolicySource implements PolicySource {
+    private policyDir;
+    constructor(policyDir?: string);
+    getEffectivePolicy(_principal: string): Promise<string | null>;
+}

package/dist/policy-source.js

@@ -0,0 +1,28 @@
+/**
+ * PolicySource — exposes Carapace's deployment-level Cedar policies
+ * so that OVID-ME can query the effective policy ceiling.
+ */
+import { readFileSync, readdirSync, existsSync } from "node:fs";
+import { join } from "node:path";
+import { homedir } from "node:os";
+/**
+ * Reads all .cedar files from the policy directory and returns
+ * the concatenated policy text. Carapace policies are deployment-wide
+ * (not per-principal), so all policies apply to all principals.
+ */
+export class CarapacePolicySource {
+    policyDir;
+    constructor(policyDir) {
+        this.policyDir = (policyDir ?? "~/.openclaw/mcp-policies/").replace("~", homedir());
+    }
+    async getEffectivePolicy(_principal) {
+        if (!existsSync(this.policyDir))
+            return null;
+        const files = readdirSync(this.policyDir).filter(f => f.endsWith(".cedar"));
+        if (files.length === 0)
+            return null;
+        const policies = files.map(f => readFileSync(join(this.policyDir, f), "utf-8"));
+        return policies.join("\n\n");
+    }
+}
+//# sourceMappingURL=policy-source.js.map

package/dist/policy-source.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-source.js","sourceRoot":"","sources":["../src/policy-source.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAChE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAUlC;;;;GAIG;AACH,MAAM,OAAO,oBAAoB;IACvB,SAAS,CAAS;IAE1B,YAAY,SAAkB;QAC5B,IAAI,CAAC,SAAS,GAAG,CAAC,SAAS,IAAI,2BAA2B,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;IACtF,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,UAAkB;QACzC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC;YAAE,OAAO,IAAI,CAAC;QAE7C,MAAM,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC5E,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAEpC,MAAM,QAAQ,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;QAChF,OAAO,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC/B,CAAC;CACF"}

package/dist/types.d.ts

@@ -0,0 +1,135 @@
+/**
+ * Type definitions for the MCP Cedar Proxy plugin.
+ */
+export interface Logger {
+    info(msg: string, ...args: any[]): void;
+    warn(msg: string, ...args: any[]): void;
+    error(msg: string, ...args: any[]): void;
+    debug?(msg: string, ...args: any[]): void;
+}
+export interface ToolDef {
+    name: string;
+    description: string;
+    parameters: Record<string, any>;
+    handler(args: any): Promise<any>;
+}
+export interface PluginConfig {
+    guiPort?: number;
+    servers?: Record<string, ServerConfig>;
+    policyDir?: string;
+    defaultPolicy?: "deny-all" | "allow-all";
+    verify?: boolean;
+    /** LLM proxy configuration — sits between agent and LLM provider */
+    proxy?: {
+        enabled?: boolean;
+        port?: number;
+        upstream?: {
+            anthropic?: {
+                url?: string;
+                apiKey: string;
+            };
+            openai?: {
+                url?: string;
+                apiKey: string;
+            };
+        };
+    };
+}
+export interface ServerConfig {
+    transport: "stdio" | "http" | "sse";
+    command?: string;
+    args?: string[];
+    env?: Record<string, string>;
+    url?: string;
+}
+export interface McpTool {
+    name: string;
+    qualifiedName: string;
+    server: string;
+    description: string;
+    inputSchema?: Record<string, any>;
+    enabled: boolean;
+}
+/** A gated resource — tools, shell commands, or APIs */
+export interface GatedResource {
+    id: string;
+    type: "tool" | "shell" | "api";
+    name: string;
+    description: string;
+    source: string;
+    enabled: boolean;
+    metadata?: Record<string, unknown>;
+}
+export interface ShellRule {
+    id: string;
+    pattern: string;
+    description: string;
+    enabled: boolean;
+}
+export interface ApiRule {
+    id: string;
+    pattern: string;
+    method?: string;
+    description: string;
+    enabled: boolean;
+}
+export interface ServerStatus {
+    connected: boolean;
+    toolCount: number;
+    lastSeen?: number;
+    error?: string;
+}
+export interface CedarDecision {
+    decision: "allow" | "deny";
+    reasons: string[];
+}
+export interface AuthzRequest {
+    principal: string;
+    action: string;
+    resource: string;
+    context?: Record<string, unknown>;
+}
+/** Common interface for Cedar engines (homebrew and Cedarling) */
+export interface CedarEngineInterface {
+    init(): Promise<void>;
+    authorize(request: AuthzRequest): Promise<CedarDecision>;
+    enableTool(qualifiedName: string): void;
+    disableTool(qualifiedName: string): void;
+    isToolEnabled(qualifiedName: string): boolean;
+    savePolicy(id: string, raw: string): void;
+    deletePolicy(id: string): boolean;
+    getDefaultPolicy(): "deny-all" | "allow-all";
+    getPolicies(): Array<{
+        id: string;
+        effect: string;
+        raw: string;
+    }>;
+    getSchema(): CedarSchemaInfo;
+    saveSchema(raw: string): void;
+    verify(): Promise<VerifyResult>;
+}
+export interface VerifyResult {
+    ok: boolean;
+    issues: string[];
+    durationMs: number;
+}
+export interface CedarSchemaInfo {
+    entities: SchemaEntity[];
+    actions: SchemaAction[];
+    raw: string;
+}
+export interface SchemaEntity {
+    name: string;
+    parents: string[];
+    attributes: SchemaAttribute[];
+}
+export interface SchemaAttribute {
+    name: string;
+    type: string;
+    optional: boolean;
+}
+export interface SchemaAction {
+    name: string;
+    principalTypes: string[];
+    resourceTypes: string[];
+}

package/dist/types.js

@@ -0,0 +1,5 @@
+/**
+ * Type definitions for the MCP Cedar Proxy plugin.
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG"}

package/docs/carapace_proxy_tool_filter_flow_v3.svg

@@ -0,0 +1,96 @@
+<svg width="100%" viewBox="0 0 680 400" xmlns="http://www.w3.org/2000/svg" style="background:#0a0a0a;border-radius:12px">
+  <defs>
+    <marker id="ag" viewBox="0 0 10 10" refX="8" refY="5" markerWidth="6" markerHeight="6" orient="auto-start-reverse">
+      <path d="M2 1L8 5L2 9" fill="none" stroke="#c4a87c" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
+    </marker>
+    <marker id="ar" viewBox="0 0 10 10" refX="8" refY="5" markerWidth="6" markerHeight="6" orient="auto-start-reverse">
+      <path d="M2 1L8 5L2 9" fill="none" stroke="#e06060" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
+    </marker>
+    <marker id="at" viewBox="0 0 10 10" refX="8" refY="5" markerWidth="6" markerHeight="6" orient="auto-start-reverse">
+      <path d="M2 1L8 5L2 9" fill="none" stroke="#81d8d0" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
+    </marker>
+  <mask id="imagine-text-gaps-g13kxz" maskUnits="userSpaceOnUse"><rect x="0" y="0" width="680" height="400" fill="white"/><rect x="19.763973236083984" y="12.194276809692383" width="118.4720458984375" height="18.639095306396484" fill="black" rx="2"/><rect x="270.71435546875" y="12.194276809692383" width="138.5712890625" height="18.639095306396484" fill="black" rx="2"/><rect x="538.2554321289062" y="12.194276809692383" width="125.48906707763672" height="18.639095306396484" fill="black" rx="2"/><rect x="39.7894287109375" y="62.7220458984375" width="78.42113494873047" height="19.111324310302734" fill="black" rx="2"/><rect x="43.7000732421875" y="106.72203826904297" width="70.5998420715332" height="19.111324310302734" fill="black" rx="2"/><rect x="35.8787841796875" y="150.7220458984375" width="86.24242401123047" height="19.111324310302734" fill="black" rx="2"/><rect x="211.489990234375" y="70.66650390625" width="73.02001190185547" height="18.166866302490234" fill="black" rx="2"/><rect x="215.101806640625" y="108.66651153564453" width="65.79638671875" height="18.166866302490234" fill="black" rx="2"/><rect x="207.87818908691406" y="146.66648864746094" width="80.24363708496094" height="18.166866302490234" fill="black" rx="2"/><rect x="329.021484375" y="138.08319091796875" width="37.9570198059082" height="16.27795124053955" fill="black" rx="2"/><rect x="325.6605529785156" y="150.08319091796875" width="44.67890167236328" height="16.27795124053955" fill="black" rx="2"/><rect x="401.4899597167969" y="81.66650390625" width="73.02001190185547" height="18.166866302490234" fill="black" rx="2"/><rect x="374.82843017578125" y="81.66650390625" width="17.171570777893066" height="18.166866302490234" fill="black" rx="2"/><rect x="397.8781433105469" y="123.66650390625" width="80.24363708496094" height="18.166866302490234" fill="black" rx="2"/><rect x="374.82843017578125" y="123.66650390625" width="17.171570777893066" height="18.166866302490234" fill="black" rx="2"/><rect x="315.101806640625" y="215.66650390625" width="65.79638671875" height="18.166866302490234" fill="black" rx="2"/><rect x="327.4830627441406" y="242.08319091796875" width="41.03388595581055" height="16.27795124053955" fill="black" rx="2"/><rect x="550.706787109375" y="64.777587890625" width="100.58637237548828" height="20.528011322021484" fill="black" rx="2"/><rect x="564.489990234375" y="98.66650390625" width="73.02001190185547" height="18.166866302490234" fill="black" rx="2"/><rect x="560.878173828125" y="138.66650390625" width="80.24363708496094" height="18.166866302490234" fill="black" rx="2"/></mask></defs>
+
+  <!-- ── Column headers ── -->
+  <text x="79" y="26" text-anchor="middle" font-family="sans-serif" font-size="13" font-weight="500" fill="#888" letter-spacing="0.06em" style="fill:rgb(136, 136, 136);stroke:none;color:rgb(0, 0, 0);stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:sans-serif;font-size:13px;font-weight:500;text-anchor:middle;dominant-baseline:auto">LLM RESPONSE</text>
+  <text x="340" y="26" text-anchor="middle" font-family="sans-serif" font-size="13" font-weight="500" fill="#888" letter-spacing="0.06em" style="fill:rgb(136, 136, 136);stroke:none;color:rgb(0, 0, 0);stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:sans-serif;font-size:13px;font-weight:500;text-anchor:middle;dominant-baseline:auto">CARAPACE PROXY</text>
+  <text x="601" y="26" text-anchor="middle" font-family="sans-serif" font-size="13" font-weight="500" fill="#888" letter-spacing="0.06em" style="fill:rgb(136, 136, 136);stroke:none;color:rgb(0, 0, 0);stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:sans-serif;font-size:13px;font-weight:500;text-anchor:middle;dominant-baseline:auto">AGENT RUNTIME</text>
+
+  <!-- Lane dividers -->
+  <line x1="146" y1="34" x2="146" y2="390" stroke="#1e1e1e" stroke-width="1" stroke-dasharray="3 4" style="fill:rgb(0, 0, 0);stroke:rgb(30, 30, 30);color:rgb(0, 0, 0);stroke-width:1px;stroke-dasharray:3px, 4px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+  <line x1="534" y1="34" x2="534" y2="390" stroke="#1e1e1e" stroke-width="1" stroke-dasharray="3 4" style="fill:rgb(0, 0, 0);stroke:rgb(30, 30, 30);color:rgb(0, 0, 0);stroke-width:1px;stroke-dasharray:3px, 4px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+
+  <!-- ── LLM Response box ── -->
+  <rect x="14" y="42" width="130" height="152" rx="10" fill="none" stroke="#333" stroke-width="1" style="fill:none;stroke:rgb(51, 51, 51);color:rgb(0, 0, 0);stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+  <rect x="24" y="54" width="110" height="36" rx="5" fill="#1a1508" stroke="#c4a87c" stroke-width="1" style="fill:rgb(26, 21, 8);stroke:rgb(196, 168, 124);color:rgb(0, 0, 0);stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+  <text x="79" y="77" text-anchor="middle" font-family="monospace" font-size="13" font-weight="500" fill="#c4a87c" style="fill:rgb(196, 168, 124);stroke:none;color:rgb(0, 0, 0);stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:monospace;font-size:13px;font-weight:500;text-anchor:middle;dominant-baseline:auto">read_file</text>
+  <rect x="24" y="98" width="110" height="36" rx="5" fill="#1a1508" stroke="#c4a87c" stroke-width="1" style="fill:rgb(26, 21, 8);stroke:rgb(196, 168, 124);color:rgb(0, 0, 0);stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+  <text x="79" y="121" text-anchor="middle" font-family="monospace" font-size="13" font-weight="500" fill="#c4a87c" style="fill:rgb(196, 168, 124);stroke:none;color:rgb(0, 0, 0);stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:monospace;font-size:13px;font-weight:500;text-anchor:middle;dominant-baseline:auto">rm -rf /</text>
+  <rect x="24" y="142" width="110" height="36" rx="5" fill="#1a1508" stroke="#c4a87c" stroke-width="1" style="fill:rgb(26, 21, 8);stroke:rgb(196, 168, 124);color:rgb(0, 0, 0);stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+  <text x="79" y="165" text-anchor="middle" font-family="monospace" font-size="13" font-weight="500" fill="#c4a87c" style="fill:rgb(196, 168, 124);stroke:none;color:rgb(0, 0, 0);stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:monospace;font-size:13px;font-weight:500;text-anchor:middle;dominant-baseline:auto">git status</text>
+
+  <!-- Arrow LLM → Proxy -->
+  <line x1="144" y1="118" x2="186" y2="118" stroke="#c4a87c" stroke-width="1.5" marker-end="url(#ag)" style="fill:rgb(0, 0, 0);stroke:rgb(196, 168, 124);color:rgb(0, 0, 0);stroke-width:1.5px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+
+  <!-- ── Carapace Proxy outer box ── -->
+  <rect x="188" y="42" width="304" height="240" rx="12" fill="none" stroke="#81d8d0" stroke-width="1.5" style="fill:none;stroke:rgb(129, 216, 208);color:rgb(0, 0, 0);stroke-width:1.5px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+
+  <!-- Incoming calls listed on left side of proxy -->
+  <rect x="200" y="64" width="96" height="30" rx="5" fill="#1a1508" stroke="#c4a87c" stroke-width="0.8" style="fill:rgb(26, 21, 8);stroke:rgb(196, 168, 124);color:rgb(0, 0, 0);stroke-width:0.8px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+  <text x="248" y="84" text-anchor="middle" font-family="monospace" font-size="12" fill="#c4a87c" style="fill:rgb(196, 168, 124);stroke:none;color:rgb(0, 0, 0);stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:monospace;font-size:12px;font-weight:400;text-anchor:middle;dominant-baseline:auto">read_file</text>
+  <rect x="200" y="102" width="96" height="30" rx="5" fill="#1a1508" stroke="#c4a87c" stroke-width="0.8" style="fill:rgb(26, 21, 8);stroke:rgb(196, 168, 124);color:rgb(0, 0, 0);stroke-width:0.8px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+  <text x="248" y="122" text-anchor="middle" font-family="monospace" font-size="12" fill="#c4a87c" style="fill:rgb(196, 168, 124);stroke:none;color:rgb(0, 0, 0);stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:monospace;font-size:12px;font-weight:400;text-anchor:middle;dominant-baseline:auto">rm -rf /</text>
+  <rect x="200" y="140" width="96" height="30" rx="5" fill="#1a1508" stroke="#c4a87c" stroke-width="0.8" style="fill:rgb(26, 21, 8);stroke:rgb(196, 168, 124);color:rgb(0, 0, 0);stroke-width:0.8px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+  <text x="248" y="160" text-anchor="middle" font-family="monospace" font-size="12" fill="#c4a87c" style="fill:rgb(196, 168, 124);stroke:none;color:rgb(0, 0, 0);stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:monospace;font-size:12px;font-weight:400;text-anchor:middle;dominant-baseline:auto">git status</text>
+
+  <!-- Cedar policy doc (center of proxy) -->
+  <rect x="326" y="82" width="44" height="56" rx="4" fill="#0f0f0a" stroke="#c4a87c" stroke-width="0.9" style="fill:rgb(15, 15, 10);stroke:rgb(196, 168, 124);color:rgb(0, 0, 0);stroke-width:0.9px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+  <path d="M358 82 L370 94 L358 94 Z" fill="#1a1508" stroke="#c4a87c" stroke-width="0.8" style="fill:rgb(26, 21, 8);stroke:rgb(196, 168, 124);color:rgb(0, 0, 0);stroke-width:0.8px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+  <line x1="334" y1="104" x2="358" y2="104" stroke="#c4a87c" stroke-width="0.7" opacity="0.6" style="fill:rgb(0, 0, 0);stroke:rgb(196, 168, 124);color:rgb(0, 0, 0);stroke-width:0.7px;stroke-linecap:butt;stroke-linejoin:miter;opacity:0.6;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+  <line x1="334" y1="112" x2="358" y2="112" stroke="#c4a87c" stroke-width="0.7" opacity="0.6" style="fill:rgb(0, 0, 0);stroke:rgb(196, 168, 124);color:rgb(0, 0, 0);stroke-width:0.7px;stroke-linecap:butt;stroke-linejoin:miter;opacity:0.6;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+  <line x1="334" y1="120" x2="350" y2="120" stroke="#c4a87c" stroke-width="0.7" opacity="0.6" style="fill:rgb(0, 0, 0);stroke:rgb(196, 168, 124);color:rgb(0, 0, 0);stroke-width:0.7px;stroke-linecap:butt;stroke-linejoin:miter;opacity:0.6;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+  <text x="348" y="150" text-anchor="middle" font-family="sans-serif" font-size="11" fill="#c4a87c" opacity="0.8" style="fill:rgb(196, 168, 124);stroke:none;color:rgb(0, 0, 0);stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;opacity:0.8;font-family:sans-serif;font-size:11px;font-weight:400;text-anchor:middle;dominant-baseline:auto">Cedar</text>
+  <text x="348" y="162" text-anchor="middle" font-family="sans-serif" font-size="11" fill="#c4a87c" opacity="0.8" style="fill:rgb(196, 168, 124);stroke:none;color:rgb(0, 0, 0);stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;opacity:0.8;font-family:sans-serif;font-size:11px;font-weight:400;text-anchor:middle;dominant-baseline:auto">policies</text>
+
+  <!-- Arrows: incoming calls → Cedar -->
+  <line x1="296" y1="79" x2="324" y2="99" stroke="#c4a87c" stroke-width="0.8" stroke-dasharray="3 2" opacity="0.5" marker-end="url(#ag)" style="fill:rgb(0, 0, 0);stroke:rgb(196, 168, 124);color:rgb(0, 0, 0);stroke-width:0.8px;stroke-dasharray:3px, 2px;stroke-linecap:butt;stroke-linejoin:miter;opacity:0.5;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+  <line x1="296" y1="117" x2="324" y2="112" stroke="#c4a87c" stroke-width="0.8" stroke-dasharray="3 2" opacity="0.5" marker-end="url(#ag)" style="fill:rgb(0, 0, 0);stroke:rgb(196, 168, 124);color:rgb(0, 0, 0);stroke-width:0.8px;stroke-dasharray:3px, 2px;stroke-linecap:butt;stroke-linejoin:miter;opacity:0.5;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+  <line x1="296" y1="155" x2="324" y2="126" stroke="#c4a87c" stroke-width="0.8" stroke-dasharray="3 2" opacity="0.5" marker-end="url(#ag)" style="fill:rgb(0, 0, 0);stroke:rgb(196, 168, 124);color:rgb(0, 0, 0);stroke-width:0.8px;stroke-dasharray:3px, 2px;stroke-linecap:butt;stroke-linejoin:miter;opacity:0.5;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+
+  <!-- Permitted outputs (right side of proxy) -->
+  <rect x="396" y="75" width="84" height="30" rx="5" fill="#1a1508" stroke="#c4a87c" stroke-width="1" style="fill:rgb(26, 21, 8);stroke:rgb(196, 168, 124);color:rgb(0, 0, 0);stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+  <text x="438" y="95" text-anchor="middle" font-family="monospace" font-size="12" font-weight="500" fill="#c4a87c" style="fill:rgb(196, 168, 124);stroke:none;color:rgb(0, 0, 0);stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:monospace;font-size:12px;font-weight:500;text-anchor:middle;dominant-baseline:auto">read_file</text>
+  <text x="388" y="95" text-anchor="end" font-family="sans-serif" font-size="12" fill="#c4a87c" opacity="0.7" style="fill:rgb(196, 168, 124);stroke:none;color:rgb(0, 0, 0);stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;opacity:0.7;font-family:sans-serif;font-size:12px;font-weight:400;text-anchor:end;dominant-baseline:auto">✓</text>
+
+  <rect x="396" y="117" width="84" height="30" rx="5" fill="#1a1508" stroke="#c4a87c" stroke-width="1" style="fill:rgb(26, 21, 8);stroke:rgb(196, 168, 124);color:rgb(0, 0, 0);stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+  <text x="438" y="137" text-anchor="middle" font-family="monospace" font-size="12" font-weight="500" fill="#c4a87c" style="fill:rgb(196, 168, 124);stroke:none;color:rgb(0, 0, 0);stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:monospace;font-size:12px;font-weight:500;text-anchor:middle;dominant-baseline:auto">git status</text>
+  <text x="388" y="137" text-anchor="end" font-family="sans-serif" font-size="12" fill="#c4a87c" opacity="0.7" style="fill:rgb(196, 168, 124);stroke:none;color:rgb(0, 0, 0);stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;opacity:0.7;font-family:sans-serif;font-size:12px;font-weight:400;text-anchor:end;dominant-baseline:auto">✓</text>
+
+  <!-- Arrows: Cedar → permitted outputs -->
+  <line x1="370" y1="101" x2="394" y2="90" stroke="#c4a87c" stroke-width="0.8" stroke-dasharray="3 2" opacity="0.5" marker-end="url(#ag)" mask="url(#imagine-text-gaps-g13kxz)" style="fill:rgb(0, 0, 0);stroke:rgb(196, 168, 124);color:rgb(0, 0, 0);stroke-width:0.8px;stroke-dasharray:3px, 2px;stroke-linecap:butt;stroke-linejoin:miter;opacity:0.5;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+  <line x1="370" y1="113" x2="394" y2="132" stroke="#c4a87c" stroke-width="0.8" stroke-dasharray="3 2" opacity="0.5" marker-end="url(#ag)" mask="url(#imagine-text-gaps-g13kxz)" style="fill:rgb(0, 0, 0);stroke:rgb(196, 168, 124);color:rgb(0, 0, 0);stroke-width:0.8px;stroke-dasharray:3px, 2px;stroke-linecap:butt;stroke-linejoin:miter;opacity:0.5;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+
+  <!-- Red drop arrow: Cedar → denied block -->
+  <path d="M348,138 L348,205" fill="none" stroke="#e06060" stroke-width="1.4" stroke-dasharray="4 2" marker-end="url(#ar)" mask="url(#imagine-text-gaps-g13kxz)" style="fill:none;stroke:rgb(224, 96, 96);color:rgb(0, 0, 0);stroke-width:1.4px;stroke-dasharray:4px, 2px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+
+  <!-- Denied block -->
+  <rect x="296" y="207" width="104" height="34" rx="5" fill="#130808" stroke="#e06060" stroke-width="1" style="fill:rgb(19, 8, 8);stroke:rgb(224, 96, 96);color:rgb(0, 0, 0);stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+  <text x="348" y="229" text-anchor="middle" font-family="monospace" font-size="12" font-weight="500" fill="#e06060" style="fill:rgb(224, 96, 96);stroke:none;color:rgb(0, 0, 0);stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:monospace;font-size:12px;font-weight:500;text-anchor:middle;dominant-baseline:auto">rm -rf /</text>
+  <line x1="298" y1="224" x2="398" y2="224" stroke="#e06060" stroke-width="1.5" stroke-linecap="round" mask="url(#imagine-text-gaps-g13kxz)" style="fill:rgb(0, 0, 0);stroke:rgb(224, 96, 96);color:rgb(0, 0, 0);stroke-width:1.5px;stroke-linecap:round;stroke-linejoin:miter;opacity:1;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+  <!-- X mark -->
+  <line x1="282" y1="214" x2="292" y2="224" stroke="#e06060" stroke-width="1.8" stroke-linecap="round" style="fill:rgb(0, 0, 0);stroke:rgb(224, 96, 96);color:rgb(0, 0, 0);stroke-width:1.8px;stroke-linecap:round;stroke-linejoin:miter;opacity:1;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+  <line x1="292" y1="214" x2="282" y2="224" stroke="#e06060" stroke-width="1.8" stroke-linecap="round" style="fill:rgb(0, 0, 0);stroke:rgb(224, 96, 96);color:rgb(0, 0, 0);stroke-width:1.8px;stroke-linecap:round;stroke-linejoin:miter;opacity:1;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+  <text x="348" y="254" text-anchor="middle" font-family="sans-serif" font-size="11" fill="#c05050" style="fill:rgb(192, 80, 80);stroke:none;color:rgb(0, 0, 0);stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:sans-serif;font-size:11px;font-weight:400;text-anchor:middle;dominant-baseline:auto">denied</text>
+
+  <!-- Arrow Proxy → Agent -->
+  <line x1="480" y1="105" x2="534" y2="105" stroke="#c4a87c" stroke-width="1.5" marker-end="url(#ag)" style="fill:rgb(0, 0, 0);stroke:rgb(196, 168, 124);color:rgb(0, 0, 0);stroke-width:1.5px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+
+  <!-- ── Agent Runtime box ── -->
+  <rect x="536" y="42" width="130" height="152" rx="10" fill="#161208" stroke="#c4a87c" stroke-width="1.2" style="fill:rgb(22, 18, 8);stroke:rgb(196, 168, 124);color:rgb(0, 0, 0);stroke-width:1.2px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+  <text x="601" y="80" text-anchor="middle" font-family="sans-serif" font-size="14" font-weight="500" fill="#c4a87c" style="fill:rgb(196, 168, 124);stroke:none;color:rgb(0, 0, 0);stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:sans-serif;font-size:14px;font-weight:500;text-anchor:middle;dominant-baseline:auto">Agent Runtime</text>
+  <rect x="552" y="92" width="98" height="30" rx="5" fill="#1a1508" stroke="#c4a87c" stroke-width="0.8" style="fill:rgb(26, 21, 8);stroke:rgb(196, 168, 124);color:rgb(0, 0, 0);stroke-width:0.8px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+  <text x="601" y="112" text-anchor="middle" font-family="monospace" font-size="12" fill="#c4a87c" style="fill:rgb(196, 168, 124);stroke:none;color:rgb(0, 0, 0);stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:monospace;font-size:12px;font-weight:400;text-anchor:middle;dominant-baseline:auto">read_file</text>
+  <rect x="552" y="132" width="98" height="30" rx="5" fill="#1a1508" stroke="#c4a87c" stroke-width="0.8" style="fill:rgb(26, 21, 8);stroke:rgb(196, 168, 124);color:rgb(0, 0, 0);stroke-width:0.8px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:&quot;Anthropic Sans&quot;, -apple-system, &quot;system-ui&quot;, &quot;Segoe UI&quot;, sans-serif;font-size:16px;font-weight:400;text-anchor:start;dominant-baseline:auto"/>
+  <text x="601" y="152" text-anchor="middle" font-family="monospace" font-size="12" fill="#c4a87c" style="fill:rgb(196, 168, 124);stroke:none;color:rgb(0, 0, 0);stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;opacity:1;font-family:monospace;font-size:12px;font-weight:400;text-anchor:middle;dominant-baseline:auto">git status</text>
+
+</svg>